So You Want to be a Security Professional?

Photo: Revenge of the Nerds movie, 1984

Are you ready to trade in your Prada sunglasses, Farrgamo shoes, and True Religion jeans for glasses with tape in the middle, Converse sneakers, and Levi’s with holes? The appeal of joining other geeks in Jolt cola fueled midnight hacking sessions is overwhelming you? So you still want to be a security professional?

Hollywood is excellent at conjuring images of security professionals, Matrix and Swordfish movies come to mind, but what’s the field of security really like? What career paths are available and which best match your interests? What are some of the benefits and challenges in the field? What is the compensation like? One thing is for sure, once you become a security professional you take the “Red Pill” (enter the rabbit hole) and there is no going back. Your mind is irrevocably altered. Even if you return to your previous profession, you will view the world through different eyes.

Many don’t realize but all security jobs are not created equal, there are specialties within the field. Experts in one security domain may have only a cursory knowledge of other security domains. The security field is still growing, defining itself, and maturing.

Following are some of the more popular security roles your likely to encounter in the field. Don’t be distracted by my abbreviations, they only serve to save time typing and make for easier reading. Also I thought it would be more useful to up-level some of the skills so your not going to find the resume power words like, ArcSight, NMAP, NetWitness, EnCase, etc. You can find in ten minutes on Monster and up-leveling makes the skills makes them a little more understandable by those newer to the field.

Chief Security Officer (CSO)/ Chief Information Security Officer(CISO) – CSOs are top security leaders for an organization. CSOs/CISOs typically have a technology background combined with a focus on business. At the CSO level, very important risk based decisions are made around security. It’s essential to have a skilled CSO that understands security, technology, and how they apply to solving business problems. To provide an example, as an individual we all make risk based choices every day. You may leave the windows on the second floor of your home open on a hot day when you leave for the grocery store. Unless there is an easy way to get to the second level of your home it’s an acceptable risk. So the risk of home invasion is not precisely zero but it’s low enough or what you may consider within acceptable limits. This is much like applying security to business challenges. Security resource is finite and must be placed where they provide the most impact, bang for the buck if you prefer. It takes real expertise to allocate these resources or be brave enough to ask for more if it’s necessary. Background for a CSO may be business or technology but as the top leader they typically have formal training and mastery over business, technology, security, as well as other areas like privacy and compliance. Skills: Advanced education is typical, excellent communication skills, business and technology, compliance, privacy, knowledge of applicable laws (which vary between types of business), deep knowledge of several security domains and IT domains, and often well-known throughout industry.

Network or Software Security Architecture(SA) – Security Architects influence secure system design from the start of a project. Think of SA like drafts persons or architects who create blueprint designs for our homes and office buildings. Drafting a change to an existing blueprint to move a wall outlet to a different wall location is an easy change to accommodate. Moving the buildings foundation three feet to the left when the roof is going up — disaster! Building a large software product or infrastructure driving many products (like a cloud provider) has similar challenges. This is why it’s so very important to have security thinking across all stages of system design. Security influence up front is essential, it’s far easier to change a bad idea at the start of a project than one million lines of software code supporting a bad idea at the end of a project. Establishing the benefit case for SA is challenging since project success is only loosely related to the work performed (by the SA) or level of resource investment. For instance, it’s easy to measure output or workload of SA but far more challenging to prove conclusively how SA influenced projects to more successful outcomes. SA specialties in applications or network infrastructure are typical. Skills: A deeper understanding SSE, SecOps, NSE, skills sets, IT background, and well-known throughout the company and sometimes industry.

Security Operations(SecOps) – SecOps are the techies who have “eyeballs” on the networks or system watchdogs. SecOps is watching data center perimeters, servers, and data, to see when bad guys are knocking on the doors. Sometimes SecOps spot checks security patching on servers, and checks for infected laptops. Infected laptops are quarantined and report to IT for reimaging. A benefit of SecOps domain is that it’s usefulness is easily quantifiable to business. For example, we fixed N number of infected laptops, discovered malware in N payloads, found N unpatched servers, etc. It’s easy for business leaders to imagine what would happen if the SecOps program was not in place (or properly staffed). An aside, if you have high remediation and mitigation numbers it looks great on reports. But perhaps investing in more SA resources will provide better application and network infrastructure up-front, lead to deeper project review, and there will be less vulnerabilities in the first place. SecOps employes a battery of tools to accomplish their efforts, commercial and open source tools, lots of in-house scripts for targeted analysis. Skills: OSI stack, in-depth protocol knowledge, scripting languages, programming languages are helpful, open source tools, commercial tools, Windows and *NIX command lines, and various operating systems, and peers are usually IT groups within company. Security Compliance(SecComply) – Compliance staff are the policy watchdogs. Compliance reports organization conformance to established policies. For example, when staff develop software, build or deploy systems they sometimes cut corners to finish on deadline. If one of the areas being cut is security it will impact the product and may negatively impact the business. It’s worth noting that good compliance is not the same as good security. It’s possible to have a great compliance program and horrifying security. Sadly, it happens all the time. The key is to carefully establish a set of corporate policies and technical controls comprehensive enough to meet your goals. Compliance is a powerful tool to understand your corporate readiness if implemented correctly. Luckily there are some “gold standards” to leverage when drafting your security policies like ISO17799. Even if you don’t wish to be ISO17799 compliant, the standard provides a good framework or grab bag of information to leverage. Incidentally, there are also good risk management frameworks like NIST 800-30. Again, you may not desire the heft of a government level risk management program but it’s an excellent grab bag of ideas you can leverage or combine with other risk approaches like FRAPS. Skills: policy management, IT compliance, internal/external audit experience, risk management experience, and works closely with business leaders and technology leaders within company.

Forensics – Throughout the course of business it sometimes becomes necessary from to collect electronic evidence from information systems. Evidence suitable for use in a court of law requires special handling to ensure it’s free from tampering or alteration. Even if your only collecting evidence for internal investigations there’s much to be aware in way of laws and individual privacy rights. There are also a cadre of digital forensics tools for imaging and storage of data. Typical cases range from disgruntled employees, compromised applications (e.g., databases), accidental destruction of data, and more. Skills: scripting languages, open source tools, commercial forensics tools, Windows and *NIX command lines, various operating systems, and works closely with security leadership and IT leadership within company Software Security Engineering (SSE) – SSE are skilled programmers specialized in one or more programming languages. Working knowledge of security algorithms like hashing, encryption, or developing application or infrastructure security models are typical. This is my background so I thought it would be helpful to share some personal experience. As an SSE, I transitioned from programming business applications to writing application security infrastructure. Applications security infrastructure is the foundation or plumbing leveraged across many software applications in a suite or enterprise. It’s a bit of an abstract concept so a practical example may be helpful to explain. Consider your company has ten software applications. If you have to sign-on or authenticate to each application it’s bothersome for end-users. Just like cloud apps, you want to authenticate once across all applications. Similarly, if you create a document in one application and assign permissions you want those same permissions to be visible across other applications. So a job run in a scheduler application may produce output reports visible in a document viewer application. Administrators may have access to the job to alter schedules but only business units have access to the output data. Application security infrastructure, as you can imagine, makes a system more secure since the security model is centrally managed and shared across business systems. And more importantly, it makes for a positive end-user experience within the application. It’s always a bonus when security and the user experience can be improved together. As an SSE, my expertise was developing enterprise class role-based access control systems (NIST RBAC 92) and interfacing them into existing security systems like Microsoft Active Directory, LDAP v3, Windows LAN Manager, etc. Creating these is considered somewhat old school today since many popular open source projects and protocols are available. Still it provides some idea for the type of work an SSE may do. Skills: programming, scripting languages, OSI stack, deep understanding of protocols, and works closely with security leadership and IT leadership within company.

Cryptologists – Cryptologists are academics highly proficient in mathematics with an interest in security. The purpose of cryptography to devise algorithms protecting information from unauthorized disclosure and tampering. Once algorithms are created and peer reviewed they are generally implemented by SSEs for use in hardware and software products. Cryptologists may also perform the converse, that is decipher an encrypted message or alter a message in transit in such a way as to evade notice. It’s likely most cytologists work for the government, universities, or larger vendors. If you want to look at a cryptologoists leader in the field take a look at Bruce Schneier’s site. Bruce has the tech chops but is also a skillful communicator. Skills: advanced mathematics background, cryptographic theory.

Penetration Testers(PT) – PTs try to find the security vulnerabilities in systems and see if they are exploitable. PTs are the spot checkers and some know how to program and some do not. Most have a solid understanding PT tools, commercial and open source tools, and writing scripts. Penetration testing is a highly specialized skill that takes training. At least if your good. Some are self-taught and their are some excellent places to learn these skills like SANS Institute. Skills: OSI stack, in-depth protocol knowledge, scripting languages, open source tools, commercial assessment tools (dynamic/static analysis), Windows and *NIX command lines, and various operating systems.

Ethical Hacking Teams(EHT) – EHT are essentially PT but having the word “ethical” in their title helps to drive the point home that security ninja skills are used only for the purposes of “good”. Also some refer EHT in the purest sense since there is a formal certification for Ethical Hacking. So some would say you cannot be EHT without the certification. I consider EHT like PT, good guys kicking the tires of systems looking for security holes. EHT teams are great asset and usually companies with more security maturity invest in these teams to help with spot checks. Some companies use a the “Red” and “Blue” team terminology. Red team are the EHT trying to break into systems and Blue teams are the defenders. Essentially, the idea is pit one team against the other and by continual evolution of these exercises application security posture improves over time. Skills: same as PT

Security Education/Trainer – Depending upon your role in our digital society there are more or less things you need to know about security. As a consumer, you need to understand how to keep your personal information safe. Managing privacy settings in your social networks, deciding to use them at all, protecting your financial information, etc. Software developers have much more to learn to defend information systems from adversaries. Business leaders making security decisions about the level of investment in security need different types of training. As an instructor, the more you know about security and and information technology the wider appeal and more useful you will be. I like to think of a instructor as a “whole package”. Meaning some instructors are stronger in presentation and communication but a little less technical or perhaps limited in their scope or depth of knowledge, others present like Ben Stein but are super technical. Presenting as either will polarize your audience. To the extent you can be both engaging and knowledgeable — you will be destine for greatness. Skills: communications and training, public speaking, creative thinking (making content interesting to different audiences is essential), broad knowledge of different areas in security, in-depth knowledge is good as well.

A great place to see the security positions and skill requirements is to check out job postings or join security groups on LinkedIn. Keep in mind, the previous positions are some of the positions your likely to encounter but every employer or business is different and some combine multiple roles into a single job position. Also there are various levels of technical and management leadership I have purposefully omitted like Manager, Sr. Manager, Director, to make for an easier read. My list is purposefully light in the way of compliance or privacy positions which are evolving into entirely separate domains of expertise. In fact, in many large organizations, compliance and privacy are entirely separate domains. Following are some of the larger benefits and challenges in field of security.

Benefits in the security field…

The work is rewarding and there is always something new to learn.

Due to the nature of the work and level of trust required mid to senior level positions are not likely to be sent off shore anytime soon.

The field is small so you can reach out and touch your heroes. As you attend various security conferences it’s likely you will meet some of your security heroes. If your brave enough to engage them in conversation, you will discover they have a passion for what they do and love to talk shop. Engaging other knowledgeable professionals is essential to challenging and changing the way you think and self-improvement. At it’s core, Security is a way of thinking. It’s more than the technology or tools. It’s not a way of thinking that comes natural to most people but it can be learned.

Compensation is excellent and there is more work than skilled professionals. This is good news if your looking for work but also frustrating if your looking to hire security professionals. I’m guessing security is a probably the top 1% of IT organizations so there are comparatively few security professionals throughout the field. I’m sure the numbers will creep higher as the field matures. It’s a very healthy balance and tipped slightly in favor of workers (at least since I can recall). For some objective data, I found a report by InformationWeek related specially to security professionals, 2013 InformationWeek U.S. IT Salary Survey: Security. The paper is free to download so long as you share your personal information but I’m sure your accustomed to such requests. Isn’t that right, John Doe? You can also Google the report title for commentary which you may find more informative anyway.

The security field is tremendously misunderstood and there is much opportunity for improvement. There is plenty of room for bold improvements and the field is wide open for bright minds and new heroes.

Challenges in the security field…

The largest challenge by far in security is awareness and education. This is the single biggest failure. When we are sick we see a doctor. When our car is having engine troubles we go to the dealer. Unfortunately, there are many making decisions about security should consult a professional. Such projects are doomed before they start. The lesson hear is that everyone needs security education for their role — not just the techies.

Security is not a money maker for business (unless your a security company). The Return on Investment(ROI) case for security is next to the plans for the free energy machine and directions to the Fountain of Youth. Don’t waste your life trying to find an ROI case. Most organizations treat security like dental hygiene — they know they need it but they don’t like to do it.

It can be challenging to communicate the precise amount of security to apply and consequences if not applied. For example, we know we need to brush in circles but why do we have to floss? What happens if we only floss every other time we brush? I wonder what my dentist would say if I asked that question? I think of it like this, not everyone has the same level of appreciation for dental hygiene that hygienists do. These are analogs to the kinds of questions you will receive in security. Never assume what is so plainly obvious to you is obvious to someone else. Every opportunity is an opportunity to educate.

Favoring compliance over security. In deciding between compliance and security, compliance always wins. On the low-end, a compliance failure means embarrassment for the business. On the high-end of the spectrum, big fines and someone wins a permanent unpaid vacation. Easy consequences to understand. Unfortunately, good compliance is not the same as good security as I noted previously.

Almost all security professionals master some other field and transition into security. To be expert at security implies mastery in more than one domain, security and something else like systems administration, network administration, programming, privacy laws and regulations, etc. Yes, compensation is good but the bar is high. The point here is that security takes some investment on your part. You need to build out your primary skills first (and the more experience the better) prior to considering security.

Most people trust implicitly unless they have a reason not to trust. In security speak, these people are sheep (or sheeple). It’s not a very kind label, but I think it’s born out of frustration from watching one jump off the security cliff and seeing the rest follow. Meaning, we may learn from our history but we don’t always learn from the security mistakes of others. Security awareness and education are key to making the best possible decisions in our personal or professional lives.

Nobody in the security field today went to school for security. It’s a completely new field born out of necessity for our dependence upon information technology. Security is one of the toughest jobs you can ever do but it’s also the most fascinating and rewarding. The field is constantly changing. What was secure yesterday is no longer secure today. Areas that were a concern are no longer a concern. Our society is forever changed. There’s no doubt security professionals will be even more important in the future than they are today. If you are already a security professional you may wish to review a related post, “Power-Leveling Your Computer Security Career”. Best of luck!

One thought on “So You Want to be a Security Professional?”

I have been intrigued by technology for as long as I can remember. I was always that go to person when anyone had a problem and I like that. I am graduating with my IT degree soon and I aim to become a specialist in network security architecture. Like any job you don't start out with all the bells and whistles and at the top of the company. You have to work your way up and this should be expected in any profession.